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DETAILED ACTION 

1. This office action is in reply to an amendment filed on March 5, 2007. 
Independent claims 1 and 23 are amended. Claims 1-33 are 
pending/ examined. 

Response to Arguments 

2. Applicant's remark/ arguments filed on March 5, 2007 regarding claims 1- 
33 have been fully considered but they are not persuasive. 

Applicant argument is based on the following limitation which is added on the 
respective independent claims 1 and 23, "...automatically implementing said 
appropriate response to mitigate damage to said network of computing resources 
from said unauthorized intrusion by isolating said remotely located 
computing resource." 

Applicant's representative wrote the following in support of his argument. 

"Talpade does not teach or suggest, among other things "...isolating said 
remotely located computing resource,"; as recited by Claim 1. Independent Claims 
12 and 23 should be patentable for similar reasons as that of Claim 1 * 
Examiner disagrees with the above argument. 

Examiner would point out that the primary reference on the record namely 
Talpade at least on the abstract discloses the following which meets the the 
following limitation, "automatically implementing said appropriate responseto 
mitigate damage to said network of computing resources from said unauthorized 
intrusion, by isolating said remotely located computing resource" 

"Service attacks, such as denial of service and distributed denial of service 
attacks, of a customer network are detected and subsequently mitigated by the Internet 
Service Provider (ISP) that services the customer network. A sensor examines the traffic 
entering the customer network for attack traffic. When an attack is detected, the 
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sensor notifies an analysis engine within the ISP network to mitigate the attack. 
The analysis engine configures a filter router to advertise new routing information 
to the border and edge routers of the ISP network. The new routing information 
instructs the border and edge routers to reroute attack traffic and non-attack 
traffic destined for the customer network to the filter router. At the filter router, 
the attack traffic and non-attack traffic are automatically filtered to remove the attack 
traffic. The non-attack traffic is passed back onto the ISP network for routing towards 
the customer network. " 

As it is explicitly disclosed on the abstract, When an attack is detected, the 
sensor notifies an analysis engine within the ISP network to mitigate the attack. The 
analysis engine configures a filter router to advertise new routing information to the 
border and edge routers of the ISP network. The new routing information 
diverts/ reroute all traffic (attack traffic/ intrusion and non-attack traffic) destined for 
the customer network to the filter router. Therefore by doing so, the remotely located 
computing resource/customer network is isolated from receiving any traffic what so 
ever, until the filter router, filters and remove the attack traffic. 

It is only after the attack traffic /intrusion is filtered at the filter 
router that the non-attack traffic is passed back onto the ISP network for 
routing towards the customer network. 

Therefore it is undoubtedly clear that the computing resource is 
isolated from unauthorized intrusion/ attack traffic, so that the appropriate 
response to mitigate the damage to the said network of computing resources is 
automatically implemented. 

Therefore each and every limitation of the independent claims is 
disclosed by the reference on the record namely Talpade as shown below. 
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As per independent claims 1. 12 and 23 Talpade discloses a method for 
responding to network intrusions, comprising: [Abstract] ( 

• a) receiving an intrusion detection system (IDS) alert from an IDS 
sensor [Figure 2, ref. Num "234" and "236"/ sensor] located in a network of 
computing resources [figure 2, ref. Num "204", customer network] wherein said IDS 
alert indicates an unauthorized intrusion upon a remotely located computing 
resource in said network of computing resources; [Abstract] (As explained on the 
abstract, A sensor shown on figure 2, ref. Num "214" and "236" examines the traffic 
entering the remotely located customer network shown on figure 2, ref. Num "204" and 
"206" for attack traffic. When an attack is detected, the sensor notifies an analysis 
engine within the ISP network to mitigate the attack. Therefore the analysis engine as 
shown on figure 2, ref. Num "232" which is also located remotely with respect to the 
customer computing resource network shown on figure 2, ref. Num "204" and "206" is . 
notified the IDS alert indicating an unauthorized intrusion/ attacks) 

•b) identifying said IDS alert;[See paragraph 0023] (The analysis engine shown 
on figure 2, ref. Num "232" identifies the DDoS attacks/ intrusion when receiving a 
DDoS notification /intrusion notification from the sensor located remotely as shown on 
figure 2, ref. Num "234" and "236" ) and 

• c) determining an appropriate response to said IDS alert [For example 
see Abstract, "the analysis engine as appropriate response to said IDS alert/ notification 
for instance, configures a filter router to advertise new routing information"] that is 
identified at a location separate from said remotely located computing resource 

[figure 2 and Abstract] (The computing resources are located in side the customer network 
shown on figure 2, ref Num "204" and "206", however the Ids alert is identified first at 
the sensor located at the sensor shown on figure 2, ref Num "234" and "236" which is 
separate from said remotely located computing resource located inside the customer 
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network shown on figure 2, ref Num "204" and "206". Furthermore, the Ids alert is also 
identified at the analysis engine shown on figure 2 } ref. Num "232" which is also separate 
from said remotely located computing resource located inside the customer network 
shown on figure 2, ref Num "204" and "206"] so that said determining said 
appropriate response is unaffected by said unauthorized intrusion (As explained on 
the abstract, A sensor shown on figure 2, ref Num "214" and "236" examines the traffic 
entering the remotely located customer network shown on figure 2, ref Num "204" and 
"206" for attack traffic. When an attack is detected, the sensor notifies an analysis engine 
within the ISP network to mitigate the attack. Therefore the analysis engine as shown on 
figure 2, ref Num "232" which is also located remotely with respect to the customer 
computing resource network shown on figure 2, ref. Num "204" and "206" is notified the 
IDS alert indicating an unauthorized intrusion/ attacks and an appropriate response to 
said unauthorized intrusion is taken by the analysis engine such as configuring a filter 
router or diverting the traffic. Therefore such appropriate response is unaffected by said 
unauthorized intrusion.) ; and 

• d) automatically implementing said appropriate response to mitigate 
damage to said network of computing resources from said unauthorized intrusion 
by isolating said remotely located computing resource, [paragraph 0024-0027 and 
abstract] (See for instance on paragraph 0024, "automatically mitigates the attack by 
configuring one or more filter routers. Furthermore As it is explicitly disclosed on the 
abstract, When an attack is detected, the sensor notifies an analysis engine within the 
ISP network to mitigate the attack. The analysis engine configures a filter router to 
advertise new routing information to the border and edge routers of the ISP network. The 
new routing information diverts/ reroute all traffic (attack traffic/ intrusion and non-attack 
traffic) destined for the customer network to the filter router. Therefore by doing so, the 
remotely located computing resource/ customer network is isolated from receiving any 
traffic what so ever, until the filter router, filters and remove the attack traffic. It is only 
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after the attack traffic/ intrusion is filtered at the filter router that the non-attack traffic is 
passed back onto the ISP network for routing towards the customer network. Therefore it 
is undoubtedly clear that the computing resource is isolated from unauthorized 
intrusion/ attack traffic, so that the appropriate response to mitigate the damage to the 
said network of computing resources is automatically implemented. *) 

In response to applicant's argument that the references fail to show certain 
features of applicant's invention, it is noted that the features upon which 
applicant relies (i.e., advantages / benefits that the invention provides) are not 
recited in the rejected claim(s). Although the claims are interpreted in light of 
the specification, limitations from the specification are not read into the claims. 
See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

It has been found that the present amendment made does not basically change 
the scope of the independent claims and the limitation is something, which is already 
disclosed, by the reference. Therefore the rejection is maintained until applicant further 
amend at least the independent claims and successfully overcomes the ground of 
rejection set forth in this office action. 

Claim Rejections - 35 USC §102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 

form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published 
under section 122(b), by another filed in the United States before the invention by 
the applicant for patent or (2) a patent granted on an application for patent by 
another filed in the United States before the invention by the applicant for patent, 
except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in 
the United States only if the international application designated the United States 
and was published under Article 21(2) of such treaty in the English language. 
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4. Claims 1-33 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Talpade et al (hereinafter referred as Talpade)(U.S. Publication No. 2004/0148520) 
(filed on January 29, 2003) 

5. As per independent claims 1. 12 and 23 Talpade discloses a method for 
responding to network intrusions, comprising: [Abstract] ( 

• a) receiving an intrusion detection system (IDS) alert from an IDS 
sensor [Figure 2, ref. Num "234" and "236"/ sensor] located in a network of 
computing resources [figure 2, ref. Num "204", customer network] wherein said IDS 
alert indicates an unauthorized intrusion upon a remotely located computing 
resource in said network of computing resources; [Abstract] (As explained on the 
abstract, A sensor shown on figure 2, ref. Num "214* and "236" examines the traffic 
entering the remotely located customer network shown on figure 2, ref. Num "204" and 
"206" for attack traffic. When an attack is detected, the sensor notifies an analysis 
engine within the ISP network to mitigate the attack. Therefore the analysis engine as 
shown on figure 2, ref. Num "232" which is also located remotely with respect to the 
customer computing resource network shown on figure 2, ref. Num "204" and "206" is 
notified the IDS alert indicating an unauthorized intrusion /attacks) 

•b) identifying said IDS alert; [See paragraph 0023] (The analysis engine shown 
on figure 2, ref. Num "232" identifies the DDoS attacks /intrusion when receiving a 
DDoS notification/ intrusion notification from the sensor located remotely as shown on 
figure 2, ref. Num "234" and "236" ) and 

• c) determining an appropriate response to said IDS alert [For example 
see Abstract, "the analysis engine as appropriate response to said IDS alert/ notification 
for instance, configures a filter router to advertise new routing information"] that is 
identified at a location separate from said remotely located computing resource 
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[figure 2 and Abstract] (The computing resources are located in side the customer network 
shown on figure 2, ref. Num "204" and "206", however the Ids alert is identified first at 
the sensor located at the sensor shown on figure 2, ref. Num "234" and "236" which is 
separate from said remotely located computing resource located inside the customer 
network shown on figure 2, ref. Num "204" and "206". Furthermore, the Ids alert is also 
identified at the analysis engine shown on figure 2, ref Num "232" which is also separate 
from said remotely located computing resource located inside the customer network 
shown on figure 2, ref. Num "204" and "206"] so that said determining said 
appropriate response is unaffected by said unauthorized intrusion (As explained on 
the abstract, A sensor shown on figure 2, ref Num "214" and "236" examines the traffic 
entering the remotely located customer network shown on figure 2, ref Num "204" and 
"206" for attack traffic. When an attack is detected, the sensor notifies an analysis engine 
within the ISP network to mitigate the attack. Therefore the analysis engine as shown on 
figure 2, ref. Num "232" which is also located remotely with respect to the customer 
computing resource network shown on figure 2, ref Num "204" and "206" is notified the 
IDS alert indicating an unauthorized intrusion/ attacks and an appropriate response to 
said unauthorized intrusion is taken by the analysis engine such as configuring a filter 
router or diverting the traffic. Therefore such appropriate response is unaffected by said 
unauthorized intrusion.) ; and 

• d) automatically implementing said appropriate response to mitigate 
damage to said network of computing resources from said unauthorized intrusion 
by isolating said remotely located computing resource, [paragraph 0024-0027 and 
abstract] (See for instance on paragraph 0024, "automatically mitigates the attack by 
configuring one or more filter routers. Furthermore As it is explicitly disclosed on the 
abstract, When an attack is detected, the sensor notifies an analysis engine within the 
ISP network to mitigate the attack. The analysis engine configures a filter router to 
advertise new routing information to the border and edge routers of the ISP network. The 
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new routing information diverts/ reroute all traffic (attack traffic/ intrusion and non-attack 
traffic) destined for the customer network to the filter router. Therefore by doing so, the 
remotely located computing resource/ customer network is isolated from receiving any 
traffic what so ever, until the filter router, filters and remove the attack traffic. It is only 
after the attack traffic/ intrusion is filtered at the filter router that the non-attack traffic is 
passed back onto the ISP network for routing towards the customer network. Therefore it 
is undoubtedly clear that the computing resource is isolated from unauthorized 
intrusion/ attack traffic, so that the appropriate response to mitigate the damage to the 
said network of computing resources is automatically implemented.") 

6. As per claims 2, 13 and 24 Talpade discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade discloses the 

method wherein, wherein a) further comprises: al) detecting a suspicious 

» 

intrusion into said computing resource; [Abstract and figure 2 and particularly, 
figure 2, ref. Num "234"/ sensor,] (The computing resources are inside the customer 
network shown on figure 2, ref. Num "204" and "206") 

a2) determining said suspicious intrusion is unauthorized; [Paragraph 0017] 
(Sensor detects an attack) a3) generating said IDS alert; [See, Abstract, notification 
generated by the sensor] and a4) sending said IDS alert to an IDS manager that is 
located remotely from said computing resource within said network of computing 
resources. [Paragraph 0024, a the IDS alqrt/ notification is sent to the Analysis engine 
and consequently to the ISP policy manager. Therefore ISP manager located remotely is 
notified and this meets the limitation of sending said IDS alert to an IDS manager that 
is located remotely from said computing resource within said network of computing 
resources.] 

7. As per claims 3, 14 and 35 Talpade discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade discloses the 
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method, wherein a2) further comprises: determining said suspicious intrusion is 
unauthorized when said suspicious intrusion matches with at least one of a list of 
unauthorized intrusions. [Figure 2, ref. 248 "filter sensors in side the sensors shown 
on figure 2, ref. Num "234" and "236", filtering inherently contains matching] 

8. As per claims 4-5. 15-16 and 26-27 Talnade discloses a method for 
responding to network intrusions as applied to claims above. Furthermore Talpade 
discloses the method, wherein comprises: detecting said suspicious intrusion at a 
network-based intrusion detection system (NIDS) sensor located within said 
network of computing resources. [See sensor located within said network of 
computing resources shown on figure 2, ref. Num "234" and "236") 

9. As per claims 6. 22 and 28 Talpade discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade discloses the 
method, wherein d) further comprises: dl) interfacing with a power controller that 
controls power to said computing resource to shut power to said computing 
resource. [Paragraph 0027] (Analysis engine 232 also assists in shutting-down DDoS 
attacks at the edge of the ISP network) 

10. As per claims 7-10. 18-21 and 29-32 T alpade discloses a method for 
responding to network intrusions as applied to claims above. Furthermore Talpade 
discloses the method, wherein d) further comprises: dl) interfacing with at least 
one switch, an associated switch, in said network of computing resources to 
virtually reconfigure said associated switch in order to virtually isolate said 
computing resource from remaining computing resources in said network of 
computing resources. [See Abstract and figure 2 and paragraph 0017] (the new routing 
information instructs the border and edge routers to reroute all DDoS and non-DDoS 
traffic destined to customer network which the attack is detected which virtually isolate 
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/ 

said customer computing resources from the remaining computing resources until the 
DDoS traffic is removed.) 

11. As per claims 11. 17 and 33 T aloade discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade discloses the 
method wherein said network of computing resources comprises a provisional 
data center. [See paragraph 0007, SOHO, Small office customer/home office customer 
which are located inside the Figure 2, ref. Num "204" and "206" inherently contains 
some kinds of data center.) * 

Conclusion 

12. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1. 136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory 
action is not mailed until after the end of the THREE-MONTH shortened 
statutory period, then the shortened statutory period will expire on the date the 
advisory action is mailed, and any extension fee pursuant to 37 CFR 1. 136(a) 
will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from 
the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Samson B Lemma whose telephone number is 
571-272-3806. The examiner can normally be reached on Monday-Friday (8:00 
am— 4: 30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, BARRON JR GILBERTO can be reached on 571-272-3799. The fax phone 
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number for the organization where this application or proceeding is assigned is 571-273- 
8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private 
PAIR only. For more information about the PAIR system, see http:// pair- 
direct. uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 

SAMSON LEMMA 
05/20/2007 
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